User Privacy and the Phishing Filter

When we shipped the Microsoft Phishing Filter in Internet Explorer 7 Beta 1, many readers on the blog asked: if the Phishing Filter is checking suspicious URLs against a web service, how would Microsoft protect user privacy?

We know that for customers to benefit from the work we put into the Phishing Filter, they have to trust us enough to use it. As you’ve been hearing for years, Microsoft now engineers our products to be more secure by default. In the same way, we engineered the Phishing Filter to protect user privacy. Most importantly, when the Phishing Filter checks if a site is a phishing site, the URL it sends to the web service cannot be used to personally identify you. That was just one of the ways that we engineered the Phishing Filter to protect user privacy.

To prove that the Phishing Filter protects privacy, we asked Jefferson Wells, a well known technology audit firm, to take a look at our design. We gave them in-depth access to the technology and to the engineering team. After they studied the technology and interviewed the engineering team, they agreed that the claims we made about protecting your privacy are true and accurate.

We want you to understand this is a longterm commitment to protect your privacy. To prove our ongoing commitment, we’re going to repeat this audit periodically so that even if the service changes in some way, you’ll still have proof that the web service protects your privacy.